search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
lisp/progmodes/python.el: Updated Copyright years.
[emacs.git] / lib / sha256.c
bloba8d29da18ddfe6536f1444ce8d9ffb2ccfb94cb5
1 /* sha256.c - Functions to compute SHA256 and SHA224 message digest of files or
2 memory blocks according to the NIST specification FIPS-180-2.
3
4 Copyright (C) 2005-2006, 2008-2012 Free Software Foundation, Inc.
5
6 This program is free software: you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation, either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>. */
18
19 /* Written by David Madore, considerably copypasting from
20 Scott G. Miller's sha1.c
21 */
22
23 #include <config.h>
24
25 #include "sha256.h"
26
27 #include <stdalign.h>
28 #include <stdint.h>
29 #include <stdlib.h>
30 #include <string.h>
31
32 #if USE_UNLOCKED_IO
33 # include "unlocked-io.h"
34 #endif
35
36 #ifdef WORDS_BIGENDIAN
37 # define SWAP(n) (n)
38 #else
39 # define SWAP(n) \
40 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
41 #endif
42
43 #define BLOCKSIZE 32768
44 #if BLOCKSIZE % 64 != 0
45 # error "invalid BLOCKSIZE"
46 #endif
47
48 /* This array contains the bytes used to pad the buffer to the next
49 64-byte boundary. */
50 static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
51
52
53 /*
54 Takes a pointer to a 256 bit block of data (eight 32 bit ints) and
55 initializes it to the start constants of the SHA256 algorithm. This
56 must be called before using hash in the call to sha256_hash
57 */
58 void
59 sha256_init_ctx (struct sha256_ctx *ctx)
60 {
61 ctx->state[0] = 0x6a09e667UL;
62 ctx->state[1] = 0xbb67ae85UL;
63 ctx->state[2] = 0x3c6ef372UL;
64 ctx->state[3] = 0xa54ff53aUL;
65 ctx->state[4] = 0x510e527fUL;
66 ctx->state[5] = 0x9b05688cUL;
67 ctx->state[6] = 0x1f83d9abUL;
68 ctx->state[7] = 0x5be0cd19UL;
69
70 ctx->total[0] = ctx->total[1] = 0;
71 ctx->buflen = 0;
72 }
73
74 void
75 sha224_init_ctx (struct sha256_ctx *ctx)
76 {
77 ctx->state[0] = 0xc1059ed8UL;
78 ctx->state[1] = 0x367cd507UL;
79 ctx->state[2] = 0x3070dd17UL;
80 ctx->state[3] = 0xf70e5939UL;
81 ctx->state[4] = 0xffc00b31UL;
82 ctx->state[5] = 0x68581511UL;
83 ctx->state[6] = 0x64f98fa7UL;
84 ctx->state[7] = 0xbefa4fa4UL;
85
86 ctx->total[0] = ctx->total[1] = 0;
87 ctx->buflen = 0;
88 }
89
90 /* Copy the value from v into the memory location pointed to by *cp,
91 If your architecture allows unaligned access this is equivalent to
92 * (uint32_t *) cp = v */
93 static inline void
94 set_uint32 (char *cp, uint32_t v)
95 {
96 memcpy (cp, &v, sizeof v);
97 }
98
99 /* Put result from CTX in first 32 bytes following RESBUF. The result
100 must be in little endian byte order. */
101 void *
102 sha256_read_ctx (const struct sha256_ctx *ctx, void *resbuf)
103 {
104 int i;
105 char *r = resbuf;
106
107 for (i = 0; i < 8; i++)
108 set_uint32 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
109
110 return resbuf;
111 }
112
113 void *
114 sha224_read_ctx (const struct sha256_ctx *ctx, void *resbuf)
115 {
116 int i;
117 char *r = resbuf;
118
119 for (i = 0; i < 7; i++)
120 set_uint32 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
121
122 return resbuf;
123 }
124
125 /* Process the remaining bytes in the internal buffer and the usual
126 prolog according to the standard and write the result to RESBUF. */
127 static void
128 sha256_conclude_ctx (struct sha256_ctx *ctx)
129 {
130 /* Take yet unprocessed bytes into account. */
131 size_t bytes = ctx->buflen;
132 size_t size = (bytes < 56) ? 64 / 4 : 64 * 2 / 4;
133
134 /* Now count remaining bytes. */
135 ctx->total[0] += bytes;
136 if (ctx->total[0] < bytes)
137 ++ctx->total[1];
138
139 /* Put the 64-bit file length in *bits* at the end of the buffer.
140 Use set_uint32 rather than a simple assignment, to avoid risk of
141 unaligned access. */
142 set_uint32 ((char *) &ctx->buffer[size - 2],
143 SWAP ((ctx->total[1] << 3) | (ctx->total[0] >> 29)));
144 set_uint32 ((char *) &ctx->buffer[size - 1],
145 SWAP (ctx->total[0] << 3));
146
147 memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 4 - bytes);
148
149 /* Process last bytes. */
150 sha256_process_block (ctx->buffer, size * 4, ctx);
151 }
152
153 void *
154 sha256_finish_ctx (struct sha256_ctx *ctx, void *resbuf)
155 {
156 sha256_conclude_ctx (ctx);
157 return sha256_read_ctx (ctx, resbuf);
158 }
159
160 void *
161 sha224_finish_ctx (struct sha256_ctx *ctx, void *resbuf)
162 {
163 sha256_conclude_ctx (ctx);
164 return sha224_read_ctx (ctx, resbuf);
165 }
166
167 /* Compute SHA256 message digest for bytes read from STREAM. The
168 resulting message digest number will be written into the 32 bytes
169 beginning at RESBLOCK. */
170 int
171 sha256_stream (FILE *stream, void *resblock)
172 {
173 struct sha256_ctx ctx;
174 size_t sum;
175
176 char *buffer = malloc (BLOCKSIZE + 72);
177 if (!buffer)
178 return 1;
179
180 /* Initialize the computation context. */
181 sha256_init_ctx (&ctx);
182
183 /* Iterate over full file contents. */
184 while (1)
185 {
186 /* We read the file in blocks of BLOCKSIZE bytes. One call of the
187 computation function processes the whole buffer so that with the
188 next round of the loop another block can be read. */
189 size_t n;
190 sum = 0;
191
192 /* Read block. Take care for partial reads. */
193 while (1)
194 {
195 n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream);
196
197 sum += n;
198
199 if (sum == BLOCKSIZE)
200 break;
201
202 if (n == 0)
203 {
204 /* Check for the error flag IFF N == 0, so that we don't
205 exit the loop after a partial read due to e.g., EAGAIN
206 or EWOULDBLOCK. */
207 if (ferror (stream))
208 {
209 free (buffer);
210 return 1;
211 }
212 goto process_partial_block;
213 }
214
215 /* We've read at least one byte, so ignore errors. But always
216 check for EOF, since feof may be true even though N > 0.
217 Otherwise, we could end up calling fread after EOF. */
218 if (feof (stream))
219 goto process_partial_block;
220 }
221
222 /* Process buffer with BLOCKSIZE bytes. Note that
223 BLOCKSIZE % 64 == 0
224 */
225 sha256_process_block (buffer, BLOCKSIZE, &ctx);
226 }
227
228 process_partial_block:;
229
230 /* Process any remaining bytes. */
231 if (sum > 0)
232 sha256_process_bytes (buffer, sum, &ctx);
233
234 /* Construct result in desired memory. */
235 sha256_finish_ctx (&ctx, resblock);
236 free (buffer);
237 return 0;
238 }
239
240 /* FIXME: Avoid code duplication */
241 int
242 sha224_stream (FILE *stream, void *resblock)
243 {
244 struct sha256_ctx ctx;
245 size_t sum;
246
247 char *buffer = malloc (BLOCKSIZE + 72);
248 if (!buffer)
249 return 1;
250
251 /* Initialize the computation context. */
252 sha224_init_ctx (&ctx);
253
254 /* Iterate over full file contents. */
255 while (1)
256 {
257 /* We read the file in blocks of BLOCKSIZE bytes. One call of the
258 computation function processes the whole buffer so that with the
259 next round of the loop another block can be read. */
260 size_t n;
261 sum = 0;
262
263 /* Read block. Take care for partial reads. */
264 while (1)
265 {
266 n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream);
267
268 sum += n;
269
270 if (sum == BLOCKSIZE)
271 break;
272
273 if (n == 0)
274 {
275 /* Check for the error flag IFF N == 0, so that we don't
276 exit the loop after a partial read due to e.g., EAGAIN
277 or EWOULDBLOCK. */
278 if (ferror (stream))
279 {
280 free (buffer);
281 return 1;
282 }
283 goto process_partial_block;
284 }
285
286 /* We've read at least one byte, so ignore errors. But always
287 check for EOF, since feof may be true even though N > 0.
288 Otherwise, we could end up calling fread after EOF. */
289 if (feof (stream))
290 goto process_partial_block;
291 }
292
293 /* Process buffer with BLOCKSIZE bytes. Note that
294 BLOCKSIZE % 64 == 0
295 */
296 sha256_process_block (buffer, BLOCKSIZE, &ctx);
297 }
298
299 process_partial_block:;
300
301 /* Process any remaining bytes. */
302 if (sum > 0)
303 sha256_process_bytes (buffer, sum, &ctx);
304
305 /* Construct result in desired memory. */
306 sha224_finish_ctx (&ctx, resblock);
307 free (buffer);
308 return 0;
309 }
310
311 /* Compute SHA512 message digest for LEN bytes beginning at BUFFER. The
312 result is always in little endian byte order, so that a byte-wise
313 output yields to the wanted ASCII representation of the message
314 digest. */
315 void *
316 sha256_buffer (const char *buffer, size_t len, void *resblock)
317 {
318 struct sha256_ctx ctx;
319
320 /* Initialize the computation context. */
321 sha256_init_ctx (&ctx);
322
323 /* Process whole buffer but last len % 64 bytes. */
324 sha256_process_bytes (buffer, len, &ctx);
325
326 /* Put result in desired memory area. */
327 return sha256_finish_ctx (&ctx, resblock);
328 }
329
330 void *
331 sha224_buffer (const char *buffer, size_t len, void *resblock)
332 {
333 struct sha256_ctx ctx;
334
335 /* Initialize the computation context. */
336 sha224_init_ctx (&ctx);
337
338 /* Process whole buffer but last len % 64 bytes. */
339 sha256_process_bytes (buffer, len, &ctx);
340
341 /* Put result in desired memory area. */
342 return sha224_finish_ctx (&ctx, resblock);
343 }
344
345 void
346 sha256_process_bytes (const void *buffer, size_t len, struct sha256_ctx *ctx)
347 {
348 /* When we already have some bits in our internal buffer concatenate
349 both inputs first. */
350 if (ctx->buflen != 0)
351 {
352 size_t left_over = ctx->buflen;
353 size_t add = 128 - left_over > len ? len : 128 - left_over;
354
355 memcpy (&((char *) ctx->buffer)[left_over], buffer, add);
356 ctx->buflen += add;
357
358 if (ctx->buflen > 64)
359 {
360 sha256_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
361
362 ctx->buflen &= 63;
363 /* The regions in the following copy operation cannot overlap. */
364 memcpy (ctx->buffer,
365 &((char *) ctx->buffer)[(left_over + add) & ~63],
366 ctx->buflen);
367 }
368
369 buffer = (const char *) buffer + add;
370 len -= add;
371 }
372
373 /* Process available complete blocks. */
374 if (len >= 64)
375 {
376 #if !_STRING_ARCH_unaligned
377 # define UNALIGNED_P(p) ((uintptr_t) (p) % alignof (uint32_t) != 0)
378 if (UNALIGNED_P (buffer))
379 while (len > 64)
380 {
381 sha256_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
382 buffer = (const char *) buffer + 64;
383 len -= 64;
384 }
385 else
386 #endif
387 {
388 sha256_process_block (buffer, len & ~63, ctx);
389 buffer = (const char *) buffer + (len & ~63);
390 len &= 63;
391 }
392 }
393
394 /* Move remaining bytes in internal buffer. */
395 if (len > 0)
396 {
397 size_t left_over = ctx->buflen;
398
399 memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
400 left_over += len;
401 if (left_over >= 64)
402 {
403 sha256_process_block (ctx->buffer, 64, ctx);
404 left_over -= 64;
405 memcpy (ctx->buffer, &ctx->buffer[16], left_over);
406 }
407 ctx->buflen = left_over;
408 }
409 }
410
411 /* --- Code below is the primary difference between sha1.c and sha256.c --- */
412
413 /* SHA256 round constants */
414 #define K(I) sha256_round_constants[I]
415 static const uint32_t sha256_round_constants[64] = {
416 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
417 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
418 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
419 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
420 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
421 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
422 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
423 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
424 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
425 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
426 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
427 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
428 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
429 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
430 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
431 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL,
432 };
433
434 /* Round functions. */
435 #define F2(A,B,C) ( ( A & B ) | ( C & ( A | B ) ) )
436 #define F1(E,F,G) ( G ^ ( E & ( F ^ G ) ) )
437
438 /* Process LEN bytes of BUFFER, accumulating context into CTX.
439 It is assumed that LEN % 64 == 0.
440 Most of this code comes from GnuPG's cipher/sha1.c. */
441
442 void
443 sha256_process_block (const void *buffer, size_t len, struct sha256_ctx *ctx)
444 {
445 const uint32_t *words = buffer;
446 size_t nwords = len / sizeof (uint32_t);
447 const uint32_t *endp = words + nwords;
448 uint32_t x[16];
449 uint32_t a = ctx->state[0];
450 uint32_t b = ctx->state[1];
451 uint32_t c = ctx->state[2];
452 uint32_t d = ctx->state[3];
453 uint32_t e = ctx->state[4];
454 uint32_t f = ctx->state[5];
455 uint32_t g = ctx->state[6];
456 uint32_t h = ctx->state[7];
457 uint32_t lolen = len;
458
459 /* First increment the byte count. FIPS PUB 180-2 specifies the possible
460 length of the file up to 2^64 bits. Here we only compute the
461 number of bytes. Do a double word increment. */
462 ctx->total[0] += lolen;
463 ctx->total[1] += (len >> 31 >> 1) + (ctx->total[0] < lolen);
464
465 #define rol(x, n) (((x) << (n)) | ((x) >> (32 - (n))))
466 #define S0(x) (rol(x,25)^rol(x,14)^(x>>3))
467 #define S1(x) (rol(x,15)^rol(x,13)^(x>>10))
468 #define SS0(x) (rol(x,30)^rol(x,19)^rol(x,10))
469 #define SS1(x) (rol(x,26)^rol(x,21)^rol(x,7))
470
471 #define M(I) ( tm = S1(x[(I-2)&0x0f]) + x[(I-7)&0x0f] \
472 + S0(x[(I-15)&0x0f]) + x[I&0x0f] \
473 , x[I&0x0f] = tm )
474
475 #define R(A,B,C,D,E,F,G,H,K,M) do { t0 = SS0(A) + F2(A,B,C); \
476 t1 = H + SS1(E) \
477 + F1(E,F,G) \
478 + K \
479 + M; \
480 D += t1; H = t0 + t1; \
481 } while(0)
482
483 while (words < endp)
484 {
485 uint32_t tm;
486 uint32_t t0, t1;
487 int t;
488 /* FIXME: see sha1.c for a better implementation. */
489 for (t = 0; t < 16; t++)
490 {
491 x[t] = SWAP (*words);
492 words++;
493 }
494
495 R( a, b, c, d, e, f, g, h, K( 0), x[ 0] );
496 R( h, a, b, c, d, e, f, g, K( 1), x[ 1] );
497 R( g, h, a, b, c, d, e, f, K( 2), x[ 2] );
498 R( f, g, h, a, b, c, d, e, K( 3), x[ 3] );
499 R( e, f, g, h, a, b, c, d, K( 4), x[ 4] );
500 R( d, e, f, g, h, a, b, c, K( 5), x[ 5] );
501 R( c, d, e, f, g, h, a, b, K( 6), x[ 6] );
502 R( b, c, d, e, f, g, h, a, K( 7), x[ 7] );
503 R( a, b, c, d, e, f, g, h, K( 8), x[ 8] );
504 R( h, a, b, c, d, e, f, g, K( 9), x[ 9] );
505 R( g, h, a, b, c, d, e, f, K(10), x[10] );
506 R( f, g, h, a, b, c, d, e, K(11), x[11] );
507 R( e, f, g, h, a, b, c, d, K(12), x[12] );
508 R( d, e, f, g, h, a, b, c, K(13), x[13] );
509 R( c, d, e, f, g, h, a, b, K(14), x[14] );
510 R( b, c, d, e, f, g, h, a, K(15), x[15] );
511 R( a, b, c, d, e, f, g, h, K(16), M(16) );
512 R( h, a, b, c, d, e, f, g, K(17), M(17) );
513 R( g, h, a, b, c, d, e, f, K(18), M(18) );
514 R( f, g, h, a, b, c, d, e, K(19), M(19) );
515 R( e, f, g, h, a, b, c, d, K(20), M(20) );
516 R( d, e, f, g, h, a, b, c, K(21), M(21) );
517 R( c, d, e, f, g, h, a, b, K(22), M(22) );
518 R( b, c, d, e, f, g, h, a, K(23), M(23) );
519 R( a, b, c, d, e, f, g, h, K(24), M(24) );
520 R( h, a, b, c, d, e, f, g, K(25), M(25) );
521 R( g, h, a, b, c, d, e, f, K(26), M(26) );
522 R( f, g, h, a, b, c, d, e, K(27), M(27) );
523 R( e, f, g, h, a, b, c, d, K(28), M(28) );
524 R( d, e, f, g, h, a, b, c, K(29), M(29) );
525 R( c, d, e, f, g, h, a, b, K(30), M(30) );
526 R( b, c, d, e, f, g, h, a, K(31), M(31) );
527 R( a, b, c, d, e, f, g, h, K(32), M(32) );
528 R( h, a, b, c, d, e, f, g, K(33), M(33) );
529 R( g, h, a, b, c, d, e, f, K(34), M(34) );
530 R( f, g, h, a, b, c, d, e, K(35), M(35) );
531 R( e, f, g, h, a, b, c, d, K(36), M(36) );
532 R( d, e, f, g, h, a, b, c, K(37), M(37) );
533 R( c, d, e, f, g, h, a, b, K(38), M(38) );
534 R( b, c, d, e, f, g, h, a, K(39), M(39) );
535 R( a, b, c, d, e, f, g, h, K(40), M(40) );
536 R( h, a, b, c, d, e, f, g, K(41), M(41) );
537 R( g, h, a, b, c, d, e, f, K(42), M(42) );
538 R( f, g, h, a, b, c, d, e, K(43), M(43) );
539 R( e, f, g, h, a, b, c, d, K(44), M(44) );
540 R( d, e, f, g, h, a, b, c, K(45), M(45) );
541 R( c, d, e, f, g, h, a, b, K(46), M(46) );
542 R( b, c, d, e, f, g, h, a, K(47), M(47) );
543 R( a, b, c, d, e, f, g, h, K(48), M(48) );
544 R( h, a, b, c, d, e, f, g, K(49), M(49) );
545 R( g, h, a, b, c, d, e, f, K(50), M(50) );
546 R( f, g, h, a, b, c, d, e, K(51), M(51) );
547 R( e, f, g, h, a, b, c, d, K(52), M(52) );
548 R( d, e, f, g, h, a, b, c, K(53), M(53) );
549 R( c, d, e, f, g, h, a, b, K(54), M(54) );
550 R( b, c, d, e, f, g, h, a, K(55), M(55) );
551 R( a, b, c, d, e, f, g, h, K(56), M(56) );
552 R( h, a, b, c, d, e, f, g, K(57), M(57) );
553 R( g, h, a, b, c, d, e, f, K(58), M(58) );
554 R( f, g, h, a, b, c, d, e, K(59), M(59) );
555 R( e, f, g, h, a, b, c, d, K(60), M(60) );
556 R( d, e, f, g, h, a, b, c, K(61), M(61) );
557 R( c, d, e, f, g, h, a, b, K(62), M(62) );
558 R( b, c, d, e, f, g, h, a, K(63), M(63) );
559
560 a = ctx->state[0] += a;
561 b = ctx->state[1] += b;
562 c = ctx->state[2] += c;
563 d = ctx->state[3] += d;
564 e = ctx->state[4] += e;
565 f = ctx->state[5] += f;
566 g = ctx->state[6] += g;
567 h = ctx->state[7] += h;
568 }
569 }
Emacs repository mirror